-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth examples #153
Merged
Merged
OAuth examples #153
Changes from 7 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
13a73c9
Examples to get OAuth scenarios working with APIcast + provide Sample…
2d70779
Update docker-compose.yml
mpguerra cc514d3
Allow Gateway host to be overridden via a .env file
7dcca41
Add client implementation to request access token only
551fb7f
Update README with client and updated auth-server instructions
24face1
Some README tweaks
mayorova 4389f16
Formatting and styles
mayorova f95b0d2
[examples] remove unused comments in oauth2
mikz aaa4f01
[examples] oauth example is not in apicast folder
mikz aeecf13
[examples] cleanup oauth2 ruby and docker files
mikz 8b2937e
[examples] oauth2 expects .env file to not be in git
mikz 37eb122
[examples] cleanup oauth2 example
mikz 0a8e3d1
Clean up client code: remove bind and port definitions
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
Running APIcast with OAuth | ||
========================== | ||
|
||
The API Gateway has a dependency on Redis when adding OAuth support. | ||
|
||
In this case, `docker-compose` has to be run in order to start up all of the required components. | ||
|
||
The command to do so is: | ||
|
||
```shell | ||
docker-compose up -d | ||
``` | ||
|
||
from the directory containing the `docker-compose.yml` file (in this case `/apicast/examples/oauth2`). | ||
|
||
The `-d` flag starts the containers up in detached mode, if you want to see the output when starting the containers, you should omit this. | ||
|
||
In order for the command to run successfully, you will also need a `.env` file with the following content (substituting the THREESCALE_PORTAL_ENDPOINT value with your own): | ||
|
||
``` | ||
# URI to fetch gateway configuration from. Expected format is: https?://[password@]hostname | ||
THREESCALE_PORTAL_ENDPOINT=https://access_token@example-admin.3scale.net | ||
|
||
# Redis host. Used to store access tokens. | ||
REDIS_HOST=redis | ||
``` | ||
|
||
The docker compose file spins up 4 services: | ||
|
||
1. APIcast | ||
2. Redis | ||
3. A very simple Authorization Server (auth-server) written in Ruby | ||
4. A sample Client to request an Authorization code and exchange that for an Access Token | ||
|
||
3scale setup | ||
------------ | ||
|
||
To get this working with a 3scale instance the following conditions should be met: | ||
|
||
1. Self-managed deployment type and OAuth authentication method should be selected | ||
2. *OAuth Authorization Endpoint* on the Integration page needs to be configured, e.g. if you're running the auth-server app on localhost this would be `http://localhost:3000/auth/login` | ||
3. Set the *Public Base URL* in the Production section of the Integration page to the gateway host e.g `http://localhost:8080` | ||
4. An application created in 3scale configured with its **Redirect URL** to point to the `client.rb` instance, e.g `http://localhost:3001/callback` | ||
|
||
Once you have APIcast configured to point to your local OAuth testing instance (Gateway + Auth Server), and you have run `docker-compose up` to start all of the required components, you can navigate to your client instance (in this case `client.rb` running on `localhost:3001`) to request an access token. | ||
|
||
client.rb | ||
--------- | ||
|
||
A very simple Sinatra app acting as a Client, running on `http://localhost:3001`. | ||
|
||
The app will display a page where you can enter a `client_id`, `redirect_uri` and `scope` to request an authorization code. | ||
|
||
The Authorization URL targeted will be the `/authorize` endpoint on your API Gateway instance, e.g `localhost:8080/authorize` | ||
The Access Token URL targeted will be the `/oauth/token` endpoint on your API Gateway instance. e.g `localhost:8080/oauth/token` | ||
|
||
Both these values are built in to the client, however, the Gateway host can be overwritten by adding a `.env` file under the `client` directory and specifying the gateway host in the `GATEWAY` environment variable (in format `<host>:<port>`), otherwise this will default to `localhost:8080` | ||
|
||
Once an authorization code is returned back to the app, you can exchange that for an access token by additionally providing a client secret. | ||
|
||
### Requesting an authorization code | ||
|
||
You can then click **Authorize** under "Step 1: Request Authorization Code" to initiate the access token request process. | ||
|
||
### Exchanging authorization code for an access token | ||
|
||
When the authorization code is returned, you can enter in your `client_id` and `client_secret` under "Step 2: Exchange Authorization Code for Access Token" and click **Get Token** to request an access token. | ||
|
||
auth-server.rb | ||
-------------- | ||
|
||
A very simple Sinatra app acting as an Authorization Server, running on `http://localhost:3000`. | ||
|
||
The app will display a log in page (`/auth/login`) which will accept any values for username and password. | ||
Once logged in, a consent page will be displayed to accept or deny the request. | ||
|
||
The authorization server will callback APIcast (running on `http://localhost:8080`) to issue an authorization code on request acceptance and the `redirect_uri` directly on denial. | ||
|
||
Once the Authorization Code is sent to the redirect URL (client callback endpoint in this case) we exchange this for an access token as per the instructions above under "Exchanging authorization code for an access token." | ||
|
||
The `auth-server.rb` code for running this example using `docker-compose` locally assumes that the Gateway host is running on `localhost:8080`. You can always override this by adding a `.env` file in the `auth-server` directory and referencing this within your `docker-compose.yml` file, same as for `client.rb`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
.git | ||
.dockerignore |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Use the barebones version of Ruby 2.3.1. | ||
FROM ruby:2.3.1-slim | ||
|
||
# Optionally set a maintainer name to let people know who made this image. | ||
MAINTAINER Maria Pilar Guerra Arias <pguerra@redhat.com> | ||
|
||
# Install dependencies: | ||
# - build-essential: To ensure certain gems can be compiled | ||
RUN apt-get update && apt-get install -y build-essential net-tools --fix-missing --no-install-recommends | ||
|
||
# Set an environment variable to store where the app is installed to inside | ||
# of the Docker image. | ||
ENV INSTALL_PATH /opt/app | ||
RUN mkdir -p $INSTALL_PATH | ||
|
||
# This sets the context of where commands will be ran in and is documented | ||
# on Docker's website extensively. | ||
WORKDIR $INSTALL_PATH | ||
|
||
# Copy in the application code from your work station at the current directory | ||
# over to the working directory. | ||
COPY . . | ||
|
||
# Ensure gems are cached and only get updated when they change. This will | ||
# drastically increase build times when your gems do not change. | ||
RUN bundle install | ||
|
||
# Expose a volume so that nginx will be able to read in assets in production. | ||
VOLUME ["$INSTALL_PATH/public"] | ||
|
||
# Start server | ||
ENV PORT 3000 | ||
EXPOSE 3000 | ||
CMD ["ruby", "auth-server.rb"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
source 'https://rubygems.org' | ||
gem 'sinatra' | ||
gem 'thin' | ||
gem 'shotgun' | ||
gem 'httpclient' | ||
gem 'json' | ||
gem 'rake' | ||
gem 'dotenv' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
GEM | ||
remote: https://rubygems.org/ | ||
specs: | ||
daemons (1.2.4) | ||
eventmachine (1.2.0.1) | ||
httpclient (2.8.2.4) | ||
json (2.0.2) | ||
rack (1.6.5) | ||
rack-protection (1.5.3) | ||
rack | ||
rake (10.4.2) | ||
shotgun (0.9.2) | ||
rack (>= 1.0) | ||
sinatra (1.4.7) | ||
rack (~> 1.5) | ||
rack-protection (~> 1.4) | ||
tilt (>= 1.3, < 3) | ||
thin (1.7.0) | ||
daemons (~> 1.0, >= 1.0.9) | ||
eventmachine (~> 1.0, >= 1.0.4) | ||
rack (>= 1, < 3) | ||
tilt (2.0.5) | ||
|
||
PLATFORMS | ||
ruby | ||
|
||
DEPENDENCIES | ||
httpclient | ||
json | ||
rake | ||
shotgun | ||
sinatra | ||
thin | ||
|
||
BUNDLED WITH | ||
1.13.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
require 'sinatra' | ||
|
||
set :bind, '0.0.0.0' | ||
|
||
GATEWAY = ENV['GATEWAY'] || "localhost:8080" | ||
nginx_redirect_uri = "http://#{GATEWAY}/callback?" #nginx callback | ||
enable :sessions | ||
set :session_secret, '*&(^B234' | ||
|
||
get("/") do | ||
erb :root | ||
end | ||
|
||
get("/auth/login") do | ||
session[:client_id]=params[:client_id] | ||
session[:redirect_uri]=params[:redirect_uri] | ||
session[:scope]=params[:scope] | ||
session[:state] = params[:state] | ||
session[:pre_token] = params[:tok] | ||
erb :login | ||
end | ||
|
||
post("/auth/login") do | ||
redirect "/consent" | ||
end | ||
|
||
get("/consent") do | ||
@client_id = session[:client_id] | ||
@scope = session[:scope] | ||
erb :consent | ||
end | ||
|
||
get("/authorized") do | ||
callback = "#{nginx_redirect_uri}state=#{session[:state]}&redirect_uri=#{session[:redirect_uri]}" | ||
puts callback | ||
redirect callback | ||
end | ||
|
||
get("/denied") do | ||
callback = "#{session[:redirect_uri]}#error=access_deniedt&error_description=resource_owner_denied_request&state=#{session[:state]}" | ||
puts callback | ||
redirect callback | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
require './auth-server' | ||
require 'dotenv' | ||
|
||
Dotenv.load | ||
run Sinatra::Application |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will copy Gemfile, which is already copied above. Remove above copy?